1. I'm a registered and logged in member. 2. I checkout someone's personal account page and see email - n/a I can't see someone's email even if i'm registered and logged in - spam countermeasure, right?
1. I'm not logged in (registration doesn't matter). 2. I goto Sign In screen, Click Forgot Password and enter someone's username and then i see his email revealed in a message saying that instructions have been mailed to his inbox. Even unlogged user can see someone's email address
My suggestion
Just remove the email address from that message. Or maybe add a captcha to forgot my password screen.
The reason I put the email in there in the first place is because I've used password retrievals before where I can't remember which email address I had used on the site. If it is an email that I no longer have access to, I want to be aware of it so I can contact the admins about it.
Do you think just displaying the domain is a good enough resolution?
Like, "A message has been sent to your hotmail.com email address with password reset instructions"
maybe just use some javascript document.write to output it? then spambots won't be able to read it.. there's a lot scripts and plugins for blogs (i use Textpattern) that do this like this somefunction("my@email.addr") or somefunction(variable_with_mail_address) to zazzle the output through javascript..
or display a domain name. but this won't help me, i have 4 accounts on gmail.com, you see..
JS would work to avoid spambots but the issue here is for users privacy, finnish. I thought the same as you the first time round till someone pointed out the reason users hid their email is cause they didnt want people knowing it.
I'm guessing either the domain or the username would work. But i use the same username for a couple of my domains. Perhaps you could do some funky 1st/3rd/5th character thing? i.e. b*d*s**@h*t*a**.com thing? :D