University Information Technology Services

Services and Support

• Accounts and Passphrases
  • Overview
    • Eligibility
    • Glossary
    • Logging in at IU
    • Your responsibilities as a computer user at IU
  • Common tasks and troubleshooting
    • Accounts
    • Account termination
    • IU Address Book listings
    • Passphrases
    • Quotas
  • Types of accounts
    • Email
    • File storage
    • Instructional database
    • Logging in at IU
    • Printing
    • Research systems
    • Web space
• Email
  • Overview
    • Email at each IU campus
    • Email glossary
    • IU email systems
  • Common Tasks and Troubleshooting
    • Email policies
    • Finding addresses
    • Junk email
    • Organizing email
    • Problems sending or receiving email
    • Reading email
    • Sending email to groups of people
    • Using attachments
    • Viruses
• Internet, Phone, & Video Connections
  • Internet Connections
    • Connecting to the ADS Domain
    • Equipment infrastructure
    • Ethernet
    • Ethernet in campus housing
    • General information
    • Glossary
    • GreekNet
    • Mobile Devices
    • Outside ISPs
    • Registering your computer
    • Using dial-up
    • VPN
    • Wireless
  • Telephone services
    • Telephone equipment
    • Telephone features and instructions
    • Operator services
    • Rates and billing
    • Regional campus technical support
    • Support, repair, and troubleshooting
    • Telephone services in campus housing
    • Wireless and cellular services
  • Video
    • Purchasing
    • Resources
    • Streaming
    • Videoconferencing
• Labs, Classrooms, and Instructional Resources
  • Labs
    • Adaptive technology
    • Available software and hardware
    • Employment
    • Getting help
    • Locations, hours, and available seats
    • Multimedia tools in the Information Commons
    • Printing
    • Reservations
    • Software installation requests
    • Standards and practices
  • Classrooms
    • Classrooms and equipment
    • Classroom recording
    • Facility and system design consulting
    • Getting help
    • Software installation requests
    • Videoconferencing facilities
  • Instructional resources
    • Course development and management tools
      • Assessment tools
      • Collaboration tools
      • Course management tools
      • Creating your own instructional media/web materials
      • Data and web server access for instruction
    • Materials, media, and assistance for instructors
      • Resources to keep teaching
      • Funding for instructional technology projects
      • Geospatial data
      • Instructional strategies
      • Library technology resources
      • Media collections
      • Media duplicating
      • One-on-one consulting
      • Special resources for your students
• Software and Hardware
  • Software
    • IUware Online
    • Obtaining and licensing software
    • Requesting software on UITS shared systems
    • Resources for help with software
    • Software on campus
  • Hardware
    • Buying hardware
    • Disposing of old hardware
    • Hardware on campus
    • Hardware repairs
    • Intelligent Infrastructure
    • Removable storage media
• Training and Workshops
  • Certification and testing
  • Instructor-led training
  • Request training
  • Self-study training
  • Seminars, lectures, and users' groups
  • Training in adaptive software
• Web Publishing
  • Central hosting
  • Podcasting
  • Policies
  • Resources and information
  • Web development services
  • Web development tools
  • Web security and access
• Information Systems
  • Computer Operations
  • Decision Support Services
  • Enterprise applications
  • Enterprise Web Technical Services
  • Geographic Information Systems
  • Intelligent Infrastructure
• Scholarly Cyberinfrastructure
  • Supercomputing and data analysis
    • Digital Library Program
    • Grid computing
    • Services
    • Software
    • Systems
  • Visualization
    • Facilities and services
    • GIS and remote sensing
  • Storage
    • Data Capacitor
    • Long-term central storage
    • Slashtmp
    • Temporary central storage
• Security and Policies
  • Security
    • Reporting a technology incident
    • Security recommendations
    • Security tools
    • Trustees Security Resolution
    • UISO security bulletins
  • Policies
    • Copyright and fair use
    • E-commerce
    • Institutional and personal information
    • Reporting a technology incident
    • Technology policies at IU

Quick Links

• Ask for Help
• Knowledge Base
• Services Directory
• Staff List
• IT News and Events
• Notices and Alerts

Protecting your web page(s) from email address harvesting

If you are responsible for a web space, be aware that email addresses published on your pages are vulnerable to being added to unsolicited email (spam) lists and could thus receive unwanted email. Spammers can collect email addresses by running automated harvesting scripts to parse static web pages one by one, looking for strings of characters that appear to be email addresses. Such automatic programs can catch thousands of addresses in a very short time.

To test the security of your own address, visit a search engine such as Google and enter your email address. The number of results you see is at least how many are visible to harvesting scripts.

For Indiana University web pages, if the contact information is for IU business, consider obtaining a departmental account and listing that address rather than your personal address; see Requesting a departmental or group account

To help protect email addresses from harvesting scripts, consider the methods listed below (though none is fully guaranteed).

On this page:

• Re-format addresses
• Substitute ASCII codes in addresses
• Web forms
• Build the mailto: link using a server script or JavaScript
• Use graphics in displaying addresses

---

Re-format addresses

The simplest method for hiding addresses is to present them in a way that contains all necessary information but makes the address unusable without some modification. For example, insert spaces into the address:

username @ domain.edu

You can also list only the username next to an individual's name, and note the domain elsewhere on the page. The main drawback is that this method renders the address unclickable. You may wish to add an explanatory statement to your page, for example:

"Email addresses on this page are displayed in a manner that will deter automatic address harvesting programs. This step is taken to reduce unsolicited email sent to Indiana University addresses. We regret any inconvenience caused for our legitimate visitors."

Substitute ASCII codes in addresses

Present email addresses by substituting ASCII codes for certain characters in the address, trusting the user's browser to translate the codes back into the correct characters. The format for ASCII codes is the & (ampersand symbol), followed by the # (pound sign), followed by a number corresponding to the character to be displayed, followed by a ; (semicolon). In an address, for example, you could substitute the ASCII code for both the @ (at sign), which is 64, and the . (period), which is 46, as follows:

username@domain.edu

When you enter the above code in your HTML, browsers render it as username@domain.edu, but harvesting scripts looking at the source will see only the ASCII codes; unless they have been designed to translate ASCII codes, they will be unable to recognize the code as an address. This technique can be effective in both the target and text of a mailto: link.

Consult an ASCII code table for information on other characters.

Web forms

Below are two options for controlling or limiting access to email addresses using HTML web forms:

• Create a link to a web form asking users to enter their own address. Upon submission, the form emails the requested address to the user, and writes the transaction to a log.
  
  
• You can create a link going to a web form where users enter a message, and the form then submits the message using a server script. For instructions for doing this on IU departmental web pages, see Preventing Email Harvesting.

Build the mailto: link using a server script or JavaScript

Use scripts to emulate the function of a mailto: URL. The idea is to create a link on your page that submits the username and domain of the email address to a program that builds the mailto: URL dynamically and returns it to the user's browser.

• For instructions and examples of this method for server scripts, see James Thornton's Redirect mailto: for Spam Prevention software page.
  
  
• The following JavaScript function can also obscure mail addresses: <a href='javascript:window.location="mail"+"to:"+"user"+"@"+"domain"+"."+"com";' onmouseover='window.status="mail"+"to:"+"user"+"@"+"domain"+"."+"com"; return true;' onmouseout='window.status="";return true;'>Click here to send mail.</a>

  This returns a mailto: link to user@domain.edu, but the username and domain appear broken up in the source HTML file, protecting them from harvest scripts.

  Note: This requires your visitors to have JavaScript enabled in their browsers; you may want to note this on your page.

  This technique was taken from Mac Efficiency 101: Preventing Spam.

Use graphics in displaying addresses

You could use graphics to display addresses. This works well as a companion to the previous methods in order to have a normal-looking, clickable email address displayed on your page as the link to your CGI, JavaScript, or form. However, if your priorities require maximum security over user convenience, you should use this method by itself and instruct users to type the address into their email program to send mail.

With this method, you create an image of some or all of each address. For highest security, represent the entire address with a graphic, for example:

Replacing the entire address requires the most work, as each graphic must be unique. However, this is the most secure, requiring a harvesting script to have optical character recognition or a human operator to harvest the address, if used in conjunction with one of the script methods above.

You could simply replace the @ sign with a picture of the same; however, the username and domain name are then readable and in close proximity to each other, and thus vulnerable. You might also consider using a graphic to represent everything in the address after the username, i.e., the @ sign and the domain.

For further explanation of the method of representing the @ sign graphically, see James Thornton's Graphic @ for Spam Prevention software page.

• About UITS
• Contact UITS
• Job Opportunities
• News Room
• Rates and costs
• Site map
• Comments

• Copyright 2005-2009, The Trustees of Indiana University
• Copyright Complaints
• Last updated: Wed, 15 Apr 2009