Michael J. Radwin

Tales of a software engineer who keeps kosher and hates the web.

Protecting email addresses, part 2

MVHS Spartan I wrote on Sunday about wanting to protect email addresses in the MVHS Alumni Internet Directory. I finally found some time to code it up.

The mailto: links have been replaced with a web form that alumni can use to send a message.

Since the website doesn’t require a login, it’s not totally spam-proof. I do include an MD5 hash of the real email address in the form as a hidden variable, so there’s some guarantee that you’ve at least first fetched the form from my website before hitting submit. This isn’t that much for security, but it means that someone writing a robot to abuse the site would have to do some extra work (fetch the webpage first, grab the hidden field, and then submit it back with the spam message).

I’m also using the Email::Valid module to check to make sure that the return address is RFC822 compliant.

People have often asked why the website doesn’t use a password/registration model like alumni.net or classmates.com, because it would certainly do more to discourage spammers. It turns out that spam hasn’t been too big of a problem for the 1500+ alumni listed on the website for the past seven years, and the complexity of passwords and registration just make life things to difficult when all you want to do is send a quick hello to someone you haven’t seen in 10 or 20 years. For the time being, the trust model is working well enough.