Check your website pages for harvesting risks.

Address Harvesting Check

Check your website pages for spam-robot vulnerable email addresses.

Scan this Webpage:

Start by entering the base URL of your website, for example

Instructions for use

Enter the base address of your website, typically just the domain name. The 'http://www' or 'https://' prefixes are optional and will be added if necessary. The page will be loaded, and analyzed for hyperlinks. Once the data has been processed, you will be shown a report detailing any unprotected email-links found, plus a list of the links to other local and offsite pages.

Email addresses are divided into two categories - Unprotected mailto: hyperlinks -which are extremely vulnerable to harvesting and should be avoided on modern websites- and freeform email addresses which are vulnerable to the more sophisticated types of harvesting robot.

Clicking an email address will show you the source code of the page, with the location of the vulnerable items highlighted.

Clicking a local Weblink will load that page for analysis. At the very minimum you should check your Home and Contact Us pages, these being the most likely to contain email addresses which are vulnerable to harvesting.

Why might I need this?

No-one should need telling that ransomware is a major concern these days. A high proportion of ransomware incidents start with an email carrying a malicious attachment. Such malicious emails are far more dangerous if they contain personal information about the sender, recipient or organization which makes the message seem highly authentic. The seeming genuineness of the message may persuade the recipient to follow instructions it contains, for example to turn off security measures in order to view the attachment. Needless to say, if the recipient follows these instructions, a world of pain follows.

The key to preventing targeted, personalized attacks on your organization is to sanitize your publicity material of information which can be used to create authentic-looking forged messages.

A major concern in this respect is any website which exposes personal email addresses and associated names, roles or other credentials to what is variously termed 'scraping' or 'harvesting' -The bulk collection of such information by automated processes scanning the Internet.

This tool allows you to make a quick check of your website for pages which are exposing email addresses to collection by robots. It is not a substitute for a full appraisal of the website, but will in the vast majority of cases expose such problems. If the site is exposing email addresses, then chances are it may be exposing other personal information too. If so, you are at risk from targeted, seemingly-genuine, malicious emails.

-Besides which, if your email accounts are suffering an excessive level of spam, one of the first remedial actions you should take is to discover where the spammers are getting hold of your email addresses from. Frequently, this will be a webpage with unprotected 'mailto' links on it. The most likely candidate will be the 'Contact Us' page of your own website, although business directories are another possibility.

To limit the spam, you may of course resort to a filtering service. Filtering on its own will not address the root cause of the problem though, and over a period of time the spam volume is liable to steadily increase until it overwhelms the filter. Thus, it is equally important to deal with the root cause. Which, is usually address harvesting.

Interpretation of results

A High or Very High rating on any page indicates that you definitely need to investigate further.

A Moderate rating should be treated as requiring action if there are recognised email addresses in the report. Unrecognised items may be addresses protected from harvesting, or may be other types of data structure which need not concern us here.

A Low rating probably means that the page being checked is free from email security issues, but it could also result from special technology on your webserver blocking the analysis. If the report also shows no links to other pages -when you know such links exist- then suspect the latter.

Note that the presence of 'email me' links on webpages viewed in a browser, does not necessarily indicate a harvesting risk. It all depends whether the links have been written in a havesting-vulnerable manner, or not. This utility only lists those email links which would typically be vulnerable to harvesting. So if it shows up here, it needs attention.

Disclaimer: As with all online security tools, use entirely at your own risk. No guarantees of accuracy are given. The analysis is based on the known actions of address harvesting software, but cannot anticipate all possible ways in which addresses can be obtained.