Information Low E-mail addresses exposed to the Internet will be scraped by spambots and added to spam lists. E-mail addresses can also be used in targeted and phishing attacks. E-mail addresses could be used to more accurately guess application usernames. If the e-mail addresses are those of users, developers should investigate why they are being output and try to remove or obfuscate them. E-mail addresses embedded in user-supplied content should be filtered or obfuscated to prevent unintented disclosure. It is common that e-mail addresses may be automatically included in third-party components, such as Javascript libraries. Another possibility is that the server is automatically configured to include e-mail addresses. Tweaking configuration can usually remove these. Vega has found patterns that resemble e-mail addresses in scanned content. These may be user the addresses of system users, addresses inserted in user-supplied content, or third-party addresses embedded in components of the application (such as Javascript libraries). Automatically scraping websites is one way that spammers and phishers collect e-mail addresses for their distribution lists. It is recommended that e-mail addresses not be displayed on exposed parts of the web application, directly or indirectly. E-mail address harvesting (Wikipedia) Nine ways to obfuscate your e-mail address (Tilllate TechBlog)