At Holderness we went live with OnMessage earlier this summer. Since then I've seen a 10 fold increase of spam messages in my email. Sites I've hosted through Wordpress I've included a Javascript embedder to display email addresses. This allows humans visited the website to see and interact with the email addresses, but prevents spam bots from 'harvesting' them emails. It does not appear that OnMessage uses Javascript to prevent spam bots. Please add that by default, or at least a security enhancement feature.
Short background for anyone curious in learning more: http://stackoverflow.com/questions/3663963/protecting-email-addresses-from-spam-bots-web-crawlers
This needs to be surfaced again.
Now, Blackbaud has implemented Javascript obfuscation for "mailto:" link targets; when I look at one of our Team Details pages on our Web site, I can Inspect the page and see that the element containing the link to the email address has had obfuscation applied to the link target; however, the email address itself is still in the code for the page (and on the page itself), clear as crystal:
This is absolutely trivial for a spider to extract and harvest email addresses from; it's the functional equivalent of closing and locking the doors of your school building, but leaving all the ground-floor windows open and unguarded.
Suggestions:
A "Send Email" button which only sends the obfuscated address through a de-obfuscation routine before sending the "mailto:coach@school.tld" to the browser to process;
Link the Coach name to the de-obfuscation routine without plain-texting the email address.
In this age of incessant onslaughts of "spear-phishing" email campaigns which result in data exfiltration, malware distribution through email which can ruin entire school campuses and "bait" emails which encourage users to fork over money or information, anything that can be done to shore up the defenses is worth doing...whether it's "voted" for or not.