Event Coordinator email addressed exposed in default messages

4 posts / 0 new
Last post
Event Coordinator email addressed exposed in default messages

As I was testing the package, I noted that the email address of event coordinators are listed on the signup sheet instructions by DEFAULT.  These are not protected pages and anyone (or any bot) on the internet can get to them.  Thus, they can capture the event coordinator's email address and ensure that the coordinator gets unlimited solicitations for pharmaceuticals, unknown inheritances, compensated companionship, or any number of other annoyances.

I have removed it from all of my organization's default messages.

I would STRONGLY suggest that event coordinator contact information be removed from the default instructions and any other messages.  As a best practice, I would not include them in open messages or an open environment.  You may consider throwaway email addresses if you need to post contact informaiton openly.

Addressing coordinator e-mail exposure concerns

Thank you for the feedback! We take privacy issues very seriously. Ultimately you are correct and we will be making some improvements (see below for a specific list) to further protect coordinators’ e-mail addresses from internet crawlers. I want to emphasize that we are talking about the coordinator’s contact information on the “public” or “semi-public” sign-up sheet, and that participant information is restricted to secure access by the coordinator / administrator. We never permit posting of private identifying information on the “public” sign-up sheet.

The potential exposure to internet crawlers of a coordinator’s e-mail is not, at least initially or by default, as disturbing as it may first seem. We discuss this in our Terms of Service. Specifically, iVolunteerOnline will never publish direct or indirect links to your iVolunteer home page or any of your event sign-up sheets. These pages all have unique links that are not, initially or by default, "listed" anywhere on the internet. We consider our customers’ events their private material and intentionally do not provide any "global search" or "index" to those events. So by default the internet crawlers are not going to automatically find your iVolunteer sign-up sheets. It is up to you to decide how you want to publish your events to a potential volunteer pool. How you publish those links, and for how long, will affect the potential exposure of any information on the signup sheet.

Using a combination of practices, the administrator can control the level of exposure your sign-up sheets have to the public internet. Each event has a unique link that is not automatically published, so the exposure of each event’s sign-up sheet can be controlled independently. You can limit events exposure by publishing links to your events only through e-mail, or other restricted access sites such as a corporate web site requiring a login. You can prevent events from appearing on your iVolunteer home page by making them hidden, and you can further restrict access to your events by using a password (that would be shared among your volunteer pool). To the extent that you will want make an event more or less "visible" may depend on your pool of potential volunteers. For example: Is sign-up restricted to a known list that you can publish your events directly to by e-mail? Or do you need to recruit from a broader community by publishing a link on a public web site.

Even when you do choose to publish a link to your iVolunteer home page or your event(s) from a public web site (which we recognize that many of our customers do), we have proper metadata in our pages that directs the search engines NOT to index those pages. The major search engines such as Google do obey this request, so, for example, a coordinator’s e-mail should be unlikely to appear in a Google search due to being published in an iVolunteer sign-up sheet.

Obviously it can be inconvenient for participants if an organization does not provide a coordinator to contact with questions. We find that participants will contact us if a contact is not provided (sometimes they do anyway). In any case, rest assured that we are already looking at options to address the e-mail exposure concern, including: (A) imaging the e-mail address as graphics to better obscure it from crawlers; (B) providing an @ivolunteer address which we forward to the coordinator and/or; (C) providing a “contact” dialog that in-turn e-mails your coordinator. Please let us know which of these options you would feel most comfortable with. We continue to work to improve iVolunteerOnline primarily from customer feedback like yours.

Tad Woods


Thanks for the

Thanks for the clarification.  I feel better, but I still think I don't want direct email addresses listed on our organzation's page (we are a small, closed organization with a separate, password protected online directory all memebers can access).  I have removed that field from our defualt instructions to eliminate the exposure.


I think option B that you show above would be a great addition and would be my preference.  Option A may also work.


Thanks again.

Improving e-mail exposure concerns

We have made improvements to further address the potential concern of coordinator contact e-mail addresses being "picked up" from "public" sign-up sheets. Again, I want to emphasize that we are talking only about a coordinator's contact information on a "public" or "semi-public" sign-up sheet (e.g. because a customer might link to a sign-up sheet from a public web site); participant information is restricted to secure access by the coordinator / administrator. Also, we have not received specific complaints about spam coming to an event coordinator because of using iVolunteer, and we will continue to work proactively to prevent that from happening and to protect the privacy of our customers.

Some additional background: It has always been the case that iVolunteer uses almost no traditional HTML, so in that regard we are already "ahead of the game" vs. internet bots "picking up" content such as e-mail addresses from any publicly-exposed web page. However we are under no false impression that internet bots haven't begun the transition to scanning the DOM and/or raw http data stream. So rest assured this is something we continue to review.

The improvements are:

(A) Coordinator e-mail addresses that appear on potentially "public" event pages are obfuscated in a human readable fashion but not transmitted in clear text. This isn't a solution that will last forever, but currently bots will have to analyze the DOM (not just HTML) and apply the CSS in order to de-code the obfuscated addresses.

(B) If you still prefer not to use your own e-mail address for a coordinator contact, you may use an iVolunteer address in the format: [your organization unique id].[your event unique id]@ivolunteer.com. For example, the address for our example Benefit Luncheon event would be 79ware.luncheon@ivolunteer.com. This is essentially a temporary address that exists for the life of each event. To use this address, specify it as the event’s contact e-mail on the Details tab, and/or in your event’s instructions; be sure to use the correct address format as noted based on your organization ID and the specific event's ID. It works by forwarding any e-mail sent to that address to the primary and/or event administrator(s)' real e-mail address(es), which remain private. Notice that this is the same e-mail address that any e-mail reminders that you send for the event come from. This feature was implemented using the bounce-back forwarding feature, so for it to work you MUST check to enable getting notifications “on a bounceback” (under the Settings tab and Emails sub-tab) for at least one of the primary administrator or the event administrator(s).

Tad Woods