Detectify
Knowledge Base

Back to Knowledge Base

Support Center

Email enumeration

Last Updated: Apr 21, 2017 08:43PM CEST

The website in question reveals one or more email addresses in plain text.

What can happen?

Email enumeration itself has no direct security implications, but could result in an increase in spam emails received. An attacker can also use the knowledge of email addresses for spear phishing and similar attacks.

Remediation

The reserved example domains are automatically filtered out from this finding. When an example email is needed it is recommended to use one of those.

One way is to use a service that hides the email address behind a captcha, see: https://www.google.com/recaptcha/admin#mailhide.

Another easy solution that should minimise the amount of bots capable of capturing it would be to write it out with JavaScript, something like the following snippet of code:

<script>
    document.write(“example” + “@example” + “.com”);
</script>

If you do not consider this a security risk, mark it as an Accepted Risk. Not everyone sees spam as a direct problem, and that is okay. By marking it as an Accepted Risk we will no longer bother you about the issue in future reports.

Resources

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete