Email Disclosure

  • CAPEC 118
  • CWE 200
  • WASC 13

Disclosure of email addresses on web sites can trigger the sending of large amount of spam to those addresses. Most spammers use bots to harvest email addresses from web sites specifically for this purpose. In order to identify email addresses, these applications generally look at html source files for instances of mailto: or at symbols (i.e., @).

Email addresses of individuals may also be used in social engineering attacks.


Consider removing any email addresses that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as

To reduce the quantity of spam sent to anonymous mailbox addresses, consider hiding the email address and instead providing a form that generates the email server-side, protected by a CAPTCHA if necessary.