I've had a few emails, and a few contacts over Matrix over the years. Barely any though. My email and matrix id are both on my front page at https://www.grepular.com. I recently added a "Like" button at various places throughout the site, front page, end of articles etc, so a click, followed by typing an optional message and another click is all it would take. I've been wondering if people ignore it due to assuming it is somehow connected to social media.
I have a direct mailto: link to my email address in the footer of my website. Zero obfuscation. I don't get any unusually large volume of spam. Maybe Fastmail's filters are that good, or maybe scraping emails off the web just isn't worth the spammers' time anymore and they've all moved on to posting thirst traps on Instagram. I dunno. Hasn't been a problem either way.
I host my own email. I use a default SpamAssassin configuration along with some basic greylisting. I barely get any spam. Maybe one every month or two.
I sort of need public contact info. Maybe I obfuscate a bit on my site though I would need to look. Modern hosted email systems seem pretty good at filtering the real spam.
But I also need to coordinate with folks with respect to conference meetings and the like so my email is pretty public.
not OP, but my current solution is to have a link which says "click to show email", with javascript handler that changes that link's href (and text) to email address, which is somehow computed. For example, by taking page URL and performing some regexp on it. It both avoids storing email in page source in plain text and requires human interaction, so feels good enough.
Another way I've seen elsewhere is to use a human-language explanation of how to build email address, something like this: "To get my email address, combine my first name (John) with my birth year (2000), separated by dash (-), and add email provider (@gmail.com)".
> my current solution is to have a link which says "click to show email"
Yeah was thinking of going down that route, but I like the simplicity of just having it there there as a mailto link when you land. Based on Mike's response I might try it!
Same here on my iPhone. I didn't previously log it into my github account as I don't use github anymore, I use gitlab. So it wont find anything useful there. You actually only need to do this in order to be able to access the list of sessions. Even if you don't log into github, remote-control still works if you copy across the link that the cli tool outputs for you and just visit that on your phone. That's a bit of a pain though of course.
What's nice about AtomicMail.io? I just tested it with https://www.emailprivacytester.com and it leaked my IP and when I read the email. And I can't even find an option to turn off remote content loading, which has been a standard feature of email and webmail clients for privacy reasons for decades, and should be turned to off by default.
Thanks for reporting this! The issue was caused by the email HTML content not being properly normalized before rendering - some emails from services like emailprivacytester.com return complex nested structures that triggered a React rendering error. I've pushed a fix that safely handles all edge cases (non-string HTML arrays, nested objects in header fields, etc.). Should be live shortly. Really appreciate you testing with edge cases like this!
Only way I can think of protecting against this is to put a reverse proxy in front of it, like Nginx, and inject CSP headers to prevent cross site requests. Wouldn't block the NAS server side from making external calls, but would prevent your browser doing it for them as is the case here. Also would prevent stuff like Google Analytics if they have it. If you set up a proxy, you could also give it a local hostname like nas.local or something with a cert signed by your private CA that Nginx knows about, and then point the real hostname at Nginx, which has the wildcard cert.
Bit of a pain to set this all up though. I run a number of services on my home network and I always stick Nginx in front with a restrictive CSP policy, and then open that policy up as needed. For example, I'm running Home Assistant, and I have the Steam plugin, which I assume is responsible for requests from my browser like for: https://avatars.steamstatic.com/HASH_medium.jpg, which are being blocked by my injected CSP policy
P.S. I might decide to let that steam request through so I can see avatars in the UI. I also inject "Referrer-Policy: no-referrer", so if I do decide to do that, at least they wont see my HA hostname in there logs by default.
I remember about 20 years ago writing a relatively simple tool in perl with IMAP::Client to migrate a Universities staff mail from Courier (I think) to Communigate Pro, and then another one to migrate from Communigate Pro to Microsoft Exchange a few years later.
I was at the beginning of my career. It was pretty easy. Went almost flawlessly, moving thousands of peoples email.
Where is the "painful" part? It's just moving blobs of text around.
reply