Re: JavaScript to grab email
On Tue, 20 Feb 96 14:40:30 EST, Mike Rose <mrose@stsci.edu> said:
Changing the email address known to netscape doesn't help. Your email address is in the message sent, regardless of what netscape thinks your identity is.
Sorry for the imprecision here. I was referring to Netscape 2.0 on unix here. Changing the email address known to netscape is insufficient for non-root users on unix systems, because sendmail will put your real address into the headers. The auto-responder used by the posted example page apparently isn't sophisticated enough to extract the real address, but the address is still in the headers for someone to extract. For those who haven't read the script, the technique used is as follows. A java script sends a mail message to the author of the script. The identity of the sender is in the mail headers. The script does not look at netscape variables or otherwise get the information from netscape or the environment. The major point is that setting a bogus email address in netscape will not necessarily prevent your email address from being captured in this manner. Mike
On Tue, 20 Feb 1996, Mike Rose wrote:
Sorry for the imprecision here. I was referring to Netscape 2.0 on unix here. Changing the email address known to netscape is insufficient for non-root users on unix systems, because sendmail will put your real address into the headers.
How about setting the mail proxy to something bogus? ;) -- Ed Carp, N7EKG Ed.Carp@linux.org, ecarp@netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp@netcom.com for PGP 2.5 public key an88744@anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring
On Tue, 20 Feb 1996, Ed Carp wrote:
On Tue, 20 Feb 1996, Mike Rose wrote:
Sorry for the imprecision here. I was referring to Netscape 2.0 on unix here. Changing the email address known to netscape is insufficient for non-root users on unix systems, because sendmail will put your real address into the headers.
How about setting the mail proxy to something bogus? ;)
Like "127.0.0.1:7"? :)
-----BEGIN PGP SIGNED MESSAGE----- On Tue, 20 Feb 1996, Mike Rose wrote:
On Tue, 20 Feb 96 14:40:30 EST, Mike Rose <mrose@stsci.edu> said:
Changing the email address known to netscape doesn't help. Your email address is in the message sent, regardless of what netscape thinks your identity is.
Sorry for the imprecision here. I was referring to Netscape 2.0 on unix here. Changing the email address known to netscape is insufficient for non-root users on unix systems, because sendmail will put your real address into the headers.
AFAIK, Netscape does not use sendmail directly to send mail, but instead contacts a user specified SMTP server and the e-mail is sent from there. If you set the SMTP server to a fake value, or just delete the field, the Javascript program will not work. Of course, you won't be able to use Netscape mail capabilities either. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm@voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMSqdg7Zc+sv5siulAQE8wgP/X0+XRWbzrKuElg23NvRo9zejhMzMim4Y ZZvwnffni+4DZRpO3Eu706ep6ALDL8FjPuH9g9MoYEpd/tG18DEqO7eDyG2X6nsf p0CyULK7i81ZxOtZg7KSmgEUos+YTNippN/Kk9hIxaoLN8tWYnPUleJJzIKbcKRq Qsoj7h2ZDR4= =LXm2 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- On Feb 20, 3:09pm, Mike Rose wrote:
For those who haven't read the script, the technique used is as follows. A java script sends a mail message to the author of the script. The identity of the sender is in the mail headers. The script does not look at netscape variables or otherwise get the information from netscape or the environment.
Javascript is coming to annoy me more and more all the time. I can turn off Java in Netscape, but I can't turn off Javascript, and I've already encountered pages which use Javascript to animate status bars and so on. My web browser should *not* be generating 90% of my usage, or if it is, there should be a way of turning it off. So, here's a proposal for those who (a) run high-traffic sites and (b) are similarly annoyed with the Netscape plan. Insert the following at the top of your top-level page. <BODY onLoad="document.mailme.submit()"> <!-- First found at http://www.popco.com/grabtest.html --> <form method=post name="mailme" action="mailto:support@netscape.com?subject=javascript breaks privacy protections"> <h3>Viewing this page has automatically sent a short piece of protest e-mail to Netscape.</h3> <input type=hidden name="Please let users turn " value="JAVASCRIPT OFF NOW!"> </form> [the rest of your page here] ... </BODY></HTML> They *might* get the point. <excuse> It's *not* spamming them! Folks'll only--at most--send them about fifteen messages a day! </excuse> They can use it to replace cookies, if they ever get rid of cookies. ["Alright, Jim, we've had to reboot the mail server fifteen times today, which suggests that there's about fourteen thousand more users than yesterday... Pity they can't talk to us, eh?"] <malicious grin> frodo =) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMSpFUx1gtCYLvIJ1AQFxqgP9FT90ol1fakS2Zy2TN8eqMpsad0/UjSKZ anEXYUUMzhV2Pr+RudCydygFa5HxiGMiHdjmLaO0cONsAmTD/MY2OrwigDfpk/DA 0SuqMgPhFt/UyGkatu0ZDLkpjUFqY0e6AD81mYe5eVBxarnfUtuZXEM7Slu/K4yF ij67tiCQbh0= =nNwZ -----END PGP SIGNATURE----- -- Richard Martin Alias|Wavefront - Toronto Office [Co-op Software Developer, Games Team] rmartin@aw.sgi.com/g4frodo@cdf.toronto.edu http://www.io.org/~samwise Trinity College UofT ChemPhysCompSci 9T7+PEY=9T8 Shad Valley Waterloo 1992
participants (5)
-
Ed Carp -
Jason Rowley -
Mark M. -
Mike Rose -
Richard Martin