Generic Email Address Disclosure
Description
This finding indicates that one or more email addresses have been discovered in publicly accessible content on the website. Email addresses exposed in web pages, HTML source code, or JavaScript files can be automatically harvested by automated bots (spambots) that crawl websites specifically to collect email addresses. These harvested addresses are then typically added to spam distribution lists or sold to malicious actors.
Remediation
Implement email address obfuscation techniques to prevent automated harvesting while maintaining usability for legitimate users. Consider the following approaches:
1. Use contact forms instead of displaying email addresses: Replace visible email addresses with web forms that submit messages server-side without exposing the actual email address.
2. Implement JavaScript-based obfuscation: Encode email addresses and decode them client-side using JavaScript.
// Example: JavaScript email obfuscation
const user = 'contact';
const domain = 'example.com';
const email = user + '@' + domain;
document.getElementById('email-link').href = 'mailto:' + email;
document.getElementById('email-link').textContent = email;3. Use HTML entity encoding: Replace characters in email addresses with HTML entities (e.g., @ becomes @).
4. Display email addresses as images: Render email addresses as images with appropriate alt text for accessibility.
5. Implement CAPTCHA protection: For contact pages, use CAPTCHA verification before revealing email addresses.
Note that no obfuscation method is completely foolproof, so using contact forms is the most secure approach when possible.