[rfc-i] public email addresses ?

Henrik Levkowetz henrik at levkowetz.com
Thu Nov 15 11:16:11 PST 2007


On 2007-11-15 18:50 Bob Braden said the following:
> The RFC Editor is installing a new web-based service for reporting
> and verifying errata.  Our first version displayed email addresses
> of both reporters and verifiers, for the convenience of others
> who want to comment/interact about particular errata.  But we very
> quickly found out our mistake; the RFC Editor staff was using
> the new system, and within 24 hours we found ourselves
> bombarded with spam.
> So, what is the recommendation?  Do we have to give up the
> transparency and convenience of email addresses in the public
> display of errata because of the *&^*&^*&^ spammers?  What
> does the tools team do about this?  What is the general rule
> for email addresses on IETF web pages?

Draft authors just have to live with it, as addresses are harvested
both from draft text and mailing list.  With both spamassassin and
email-client spam filters in place, I'm seldom bothered by spam even
if the daily inflow is on the order of ~300.

However, for addresses that doesn't need to be that public I'd advocate
obfuscation through javascript.  This is the javascript snippet I use
for such cases:

   function showEmail(name, dom, text) {
       addr = name + "\x40" + dom;
       if (!text) { text = addr; }
       document.write('<a href="mail'+'to'+'\x3A' + addr+'">'+text+'</a>');

and it is used in a html file for instance as follows:

    <script type="text/javascript">
        showEmail("henrik", "levkowetz.com", "Henrik Levkowetz");

For a live example, look at http://tools.ietf.org/tools/idspell/webservice .

There are many other ways of obfuscating email addresses, but I suspect
that the spammers are wise to most of them, but don't care to expend the
extra processing it would take to run javascript on all pages in order
to catch obfuscations like the one above.

Hope that helps,


More information about the rfc-interest mailing list