The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,953 other followers

Hiding email behind a 30x redirect.

Posted by jpluimers on 2014/06/24

Last week, I thanked Jaykul for helping me out on PowerShell.

But he taught me another thing that was new for me: on his site, he has hidden his email address behind a 302-redirect.

I didn’t even realize that was possible until I saw his site start my mail program without initially showing a mailto in the url. A quick check showed me he was using a 302-redirect:

Jeroens-MacBook-Pro:~ jeroenp$ wget http://example.com/example-mail
--2014-06-17 11:15:59--  http://example.com/example-mail
Resolving example.com... 192.0.43.10, 2001:500:88:200::10
Connecting to example.com|192.0.43.10|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: mailto:example@example.com [following]
mailto:example@example.com: Unsupported scheme `mailto'.

Since a 302-redirect is a temporary redirect, I investigated if there was a better HTTP 30x redirect (I think 307 should work best) and how to do this in apache on SuSE 12.x.

Don’t try to redirect email through example.com, as they do not have an MX.

For this example, I’m going to use nullⓐpluimers.com, which already points to a /dev/null alias when you look at my mail aliases file:

snap:/etc/mail # grep null /etc/mail/aliases
verborgen:		/dev/null
geheim:			/dev/null
zwartgat:		/dev/null
null:			/dev/null

snap:/etc/mail # grep null /etc/mail/virtusertable
nullⓐpluimers.com			null

snap:/etc/mail # grep null /var/log/messages
May 11 22:19:08 snap sendmail[11566]: r4BKJ8Bf011563: to=/dev/null, ctladdr=<nullⓐpluimers.com> (2/0), delay=00:00:00, xdelay=00:00:00, mailer=*file*, pri=31196, dsn=2.0.0, stat=Sent
May 11 22:19:08 snap sendmail[11566]: r4BKJ8Bf011563: done; delay=00:00:00, ntries=1

You could script it for multiple email adresses like explained in Redirect mailto: for Spam Prevention, by James Thornton, but for a single email address, you can also do it in your Apache config.

Apache mailto redirect

For Apache, you need to have mod_alias installed (you can check that on most *nix systems by running apache2ctl -M as root or using sudo).

The 302 redirect is just a matter of adding a Redirect or RedirectTemp clauses to the config file for your domain or virtual domain. In my case, this was enough:

snap:/etc/mail # grep null /etc/apache2/vhosts.d/pluimers.com.conf
 Redirect /mailtonull mailto:nullⓐpluimers.com

Optionally, you can add your own 30x code between the Redirect and the url.

This proves it works:

Jeroens-MacBook-Pro:~ jeroenp$ wget http://pluimers.dyndns.org/mailtonull
--2014-05-11 22:36:28--  http://pluimers.dyndns.org/mailtonull
Resolving pluimers.dyndns.org... 80.56.112.166
Connecting to pluimers.dyndns.org|80.56.112.166|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: mailto:nullⓐpluimers.com [following]
mailto:nullⓐpluimers.com: Unsupported scheme `mailto'.

Is this really security?

Though I know security by obscurity (yes, I have also replaced all @ with ⓐ) is not the best way to keep people from getting at information, it certainly makes it more difficult for the average html scraper.

This isn’t the best user experience

Even the famous usability expert Dr. Jakob Nielsen decided not to use a mailto link (too bad as of early 2013 all the content of his www.useit.com site site now points to www.nngroup.com violating his Fighting Linkrot post; luckily the WayBack machine still archived the old page about mailto and old useit.com homepage; good thing: the new site has continued the old AlartBox column though).

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: