Protecting Your Email Address On The SEW Forums

[dannysullivan]

A member asked me recently about issues with vCard downloads, suspecting that someone has spidered the forums to gather email addresses this way. I'll cover what's happened with that, as well as a revisit on how to protect your email address here period.

When you sign up, you have to give us an email address to help verify your account. That doesn't mean you have to publish this email address to anyone, however. When you sign up, the very last option will be a tickbox that says, "Receive Email From Other Members."

By default, that's left off. In other words, by default, your email address will NOT be shown. If someone goes to view your profile, a link saying they can email you will appear. However, anyone clicking on it will get this message:
Sorry! That user has specified that they do not wish to receive emails. If you still wish to send an email to this user, please contact the administrator and they may be able to help.


It turns out that despite this, if someone makes use of the vCard feature, they can get a vCard that pops up with your email address despite you having registered to keep this private. That's because by default, vCards are enabled.

We don't list links to generate vCards here, which may be one reason why we've not noticed this before or had it raised as an issue. The only way to get this is if you know the right vBulletin (our forum software) URL strings to make them pop up. You'd have to view a users profile and then add &do=vcard to the end of the URL in your window, such as http://forums.searchenginewatch.com/...p?u=8&do=vcard

I can only sincerely apologize for this security loophole. It's never come to our attention before, nor is it something you would have expected to work. If the software initially asks you if you want to reveal your email address, you'd then think it would also NOT enable vCards to show that address.

The good news is relatively few people were affected. When I looked at the system today, whenever anyone new signed up, vCards were enabled. If things had been that way for some time, you'd expect a big chunk of our over 7,000 members to have them on. Instead, only 381 have -- about 5 percent of our total members. Some of this group may also have already set things to show their emails and vCards both themselves.

In fact, another factoid. 56 percent of our members have chosen to list their emails publicly! The default setting is NOT to expose these, so lots of people seem comfortable changing this.

vCards downloads have now been reset to that they are disabled for everyone. If you want them one for whatever reason, you can do this using the Edit Options setting in the Control Panel.

Beyond this, I have made a further change. Even if you do allow people to email you by revealing your email address, I've changed the settings so your email address is NOT shown. Instead, people will get a form that, if they fill out, will forward email to you. That will help protect against spider harvesting.

You can still list instant messaging addresses you have using the Edit Profile option in the control panel. These will be shown if you enter info -- so if you do NOT want info shown, don't put it in.

As said, by default Email addresses are not switched on. If you leave everything alone, anyone who wants to reach you can use the private messaging system. But if you want to enable regular email -- so they can use a form to send to your regular email address -- you need to tick the Receive Email From Other Members option on the Edit Options screen in Control Panel.

[DianeV]

Really nicely done, Danny. Thanks for going to the trouble.