By Mary Ann Wells
This article is not about programs that can skim your email from your website. That’s a very old vulnerability that most web designers can fix by encoding the emails on your website. This article is about a method of email harvesting that you may not be aware of - domain email harvesting.
The screenshot below is the easiest way to explain what domain email harvesting is. I’m using an insurance company’s website because it’s a big company and the results are a shocking eye-opener.
Let me explain what you’re looking at. This is the insurance company’s home page and the drop-down at the top right is a Chrome extension on my browser. When I go to any website (not just this one), I can use this extension to find all emails associated with that website’s domain. In this specific case, you’ll see that there are 38,030 emails associated with their domain and they are exposed.
Now, if this insurance company were to come to me and ask how to fix this, here’s what I would tell them…
Besides having two domains: one for email, and another for the website, you may want to make sure that all “public” emails are forwarding emails like sales@, service@, etc. You can use either domain for these because they do not have an inbox. Each forwarding email can be set to forward to one person or a group of people. Because forwarding emails do not have an inbox of their own, when someone tries to validate the email, it will come back as “unverifiable”. People can still send to them, but they are not verified because no one knows who’s going to receive them. A mass mailing sent to “unverified” emails is generally penalized with fines or the servers get shut down (bounce backs of 15% or more are not allowed).
Keep company email for in-company use only or to communicate directly with a customer. Make it a rule that no one at your company is to share an employee’s email address with anyone outside of the company but can provide a forwarding email address instead.
A quick note on forwarding emails. You can create forwarding emails for your salespeople as well. For example, [email protected] can be a forwarding email that is printed on business cards for Joe, but it forwards to Joe’s company email of [email protected]. This gives Joe’s email a bit of protection and Joe can set up a rule in his email client that all mail sent to [email protected] go into a specific folder for him. This keeps his sales emails separate from in-company emails.
Another perk of using a forwarding email for employees is, if Joe moves on to another company, his forwarding email can just forward to someone else’s email address.
I hope you have found this article helpful. The next article in this series will be about social media and data mining.
Web-Kare is not paid to promote any product or service in this Need2Know section. We feel that it is important to educate business owners about possible vulnerabilities to their business so they can decide how to handle them. If you have questions or wish to know more, please use the “I Need to Know More” form below.
I Need to Know More!