Hiding email behind a 30x redirect.
Posted by jpluimers on 2014/06/24
Last week, I thanked Jaykul for helping me out on PowerShell.
But he taught me another thing that was new for me: on his site, he has hidden his email address behind a 302-redirect.
I didn’t even realize that was possible until I saw his site start my mail program without initially showing a mailto in the url. A quick check showed me he was using a 302-redirect:
Jeroens-MacBook-Pro:~ jeroenp$ wget http://example.com/example-mail --2014-06-17 11:15:59-- http://example.com/example-mail Resolving example.com... 192.0.43.10, 2001:500:88:200::10 Connecting to example.com|192.0.43.10|:80... connected. HTTP request sent, awaiting response... 302 Found Location: mailto:example@example.com [following] mailto:example@example.com: Unsupported scheme `mailto'.
Since a 302-redirect is a temporary redirect, I investigated if there was a better HTTP 30x redirect (I think 307 should work best) and how to do this in apache on SuSE 12.x.
Don’t try to redirect email through example.com, as they do not have an MX.
For this example, I’m going to use nullⓐpluimers.com, which already points to a /dev/null alias when you look at my mail aliases file:
snap:/etc/mail # grep null /etc/mail/aliases verborgen: /dev/null geheim: /dev/null zwartgat: /dev/null null: /dev/null snap:/etc/mail # grep null /etc/mail/virtusertable nullⓐpluimers.com null snap:/etc/mail # grep null /var/log/messages May 11 22:19:08 snap sendmail[11566]: r4BKJ8Bf011563: to=/dev/null, ctladdr=<nullⓐpluimers.com> (2/0), delay=00:00:00, xdelay=00:00:00, mailer=*file*, pri=31196, dsn=2.0.0, stat=Sent May 11 22:19:08 snap sendmail[11566]: r4BKJ8Bf011563: done; delay=00:00:00, ntries=1
You could script it for multiple email adresses like explained in Redirect mailto: for Spam Prevention, by James Thornton, but for a single email address, you can also do it in your Apache config.
Apache mailto redirect
For Apache, you need to have mod_alias installed (you can check that on most *nix systems by running apache2ctl -M as root or using sudo).
The 302 redirect is just a matter of adding a Redirect or RedirectTemp clauses to the config file for your domain or virtual domain. In my case, this was enough:
snap:/etc/mail # grep null /etc/apache2/vhosts.d/pluimers.com.conf Redirect /mailtonull mailto:nullⓐpluimers.com
Optionally, you can add your own 30x code between the Redirect and the url.
This proves it works:
Jeroens-MacBook-Pro:~ jeroenp$ wget http://pluimers.dyndns.org/mailtonull --2014-05-11 22:36:28-- http://pluimers.dyndns.org/mailtonull Resolving pluimers.dyndns.org... 80.56.112.166 Connecting to pluimers.dyndns.org|80.56.112.166|:80... connected. HTTP request sent, awaiting response... 302 Found Location: mailto:nullⓐpluimers.com [following] mailto:nullⓐpluimers.com: Unsupported scheme `mailto'.
Is this really security?
Though I know security by obscurity (yes, I have also replaced all @ with ⓐ) is not the best way to keep people from getting at information, it certainly makes it more difficult for the average html scraper.
This isn’t the best user experience
Even the famous usability expert Dr. Jakob Nielsen decided not to use a mailto link (too bad as of early 2013 all the content of his www.useit.com site site now points to www.nngroup.com violating his Fighting Linkrot post; luckily the WayBack machine still archived the old page about mailto and old useit.com homepage; good thing: the new site has continued the old AlartBox column though).
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment