PDA

View Full Version : Letter in Listener



10-03-2002, 07:29 AM
For security, my email (Eudora) is totally separate from my browser, so my knowledge of browser-associated email and the way it works is severely limited.

I want to reply to the second letter in the 'Listener' this week, going on about how your 12-year-old can be entrapped by porn, and I want to be absolutely sure I have my facts right.

If you also use your browser (MSIE or Netscape, any version) for your email, is there ANY way in which a visit to a website COULD enable the website operator to ferret out your email address?

The author of this letter is trying to set up a scare to the effect that young people will get tons of objectionable spam if they ever go near a porn site.

I'm pretty sure he's talking rubbish and this is technically impossible. But in the environment of all-purpose browser/email/news clients, could I be wrong?

And if it is so, should there not be a fix for this vulnerability?

Steve B.

10-03-2002, 08:22 AM
Steve

I think the number of ways of getting an email address are limited only by your imagination.

My official email address for PCWorld was posted on the site to ask people to contact me on a particular topic. Within 24 hours I was starting to get email to that address that was spam (never had before).

People will also sell mailing lists, or just send to random names at large domains like hotmail and yahoo.

If you try to unsubscribe, you could end up getting caught that way.

I could go on (some say I usually do).

Does that help?

robo.

10-03-2002, 08:37 AM
Well it happens to me all the time.

I'd love to know a fix.

10-03-2002, 11:17 AM
Hi Steve
I am in a Javascript, (Java?) group within the past week someone that I will
call as 'S. B. Smith' I don't wish to mention names, has asked the
following, I have post his question and given two replies.

Subject: Can I get the mail address of the caller?

I'm working on a website right now where we need to get some idea of who
started the session.
Up to now the client has been happy with us just collection the 'normal'
server variables such as the ip address etc.
Is there any way I can grab something more meaningful, like the company
name, email address (or part thereof) etc so we really had some idea who
came to the site?
(1)
Ummm, no... not without a signed applet or ActiveX control of some sort,
which you would have to allow to run. How would you like it if sites did
that to you? Even Microsoft won't go that far.

You can do a reverse DNS lookup on the IP to get *some* idea of who owns
the network the user is on, but that's about it.
(2)
In the form where the posting is first made, ask for this and make it a
required field.

10-03-2002, 02:16 PM
easiest way is to exploit any holes in IE. the amount of people who have unpatched systems or 'don't belive in updateing' is unreal. i suspect an activeX script is causing the latest lot of homepage takeovers but i havn't seen it myself.(if anyone has found it let me know)

second thing is to have a good isp that blocks known spamers and have an unusual email name. not one with a normal word in it and definetly one without your NAME in it.

10-03-2002, 03:09 PM
Steve, funny you should ask this one. I was just recently reading the FAQs of a site meter and here is one of the interesting questions:

'Q: I want to send email to everyone that visits my site. Will this site meter tell me my visitor's email address?

A: Sorry, It isn't possible to find out the email address of your visitors without them knowing. That is probably a good thing because otherwise you'd get spam from every web site that you visit. The best way to get a visitor's email address is to ask them for it.'

From that, I deduce that it IS possible to get people's email addresses, and 'unsavoury' types of sites with no scruples would probably certainly do so.

11-03-2002, 01:05 PM
With the latest version of the mainstream browsers it's not possible for a site to obtain your email address. Older browsers (netscape 2 era) had a flaw that did allow it, but that's really a long time ago. Whether you're using a browser/email combo, or an independent email client would only make a diffs if you were using one of those older browsers.

The above of course doesn't take into account clicking on malicious links that enable dodgy site operators to run a script which gives them access to your computer entirely. Make sure your browser has latest security patches, and stay away from dodgy sites.