Friday, November 19, 2010

Visitors Book Spam

I received two emails this morning from people who had received spam from someone who claimed to have got their profile from my website G4ILO's Shack. I don't have user profiles on my site. The only place the spammer could have got the email address is from the visitors' book, and sure enough when I checked both these people had made entries in it.

The visitors book uses the common trick to obfuscate the email address of encrypting it and using a Javascript function to display it in the user's browser. This worked on the assumption that spammers email harvesting bots simply grabbed the raw HTML pages and didn't use an actual browser so the Javascript didn't run and the email addresses remained hidden from the spammer.

I guess it was only a matter of time, given that computers are now much faster, before spammers started using embedded web browsers to load web pages before scanning them for email addresses. That is the only explanation I have for this. I have removed the display of the email address from the visitors book comments entirely, which should prevent this happening in future.

Some visitors ask questions or mention something interesting in their comments and I thought it would be useful for those who read them to be able to reply if they wish. But I doubt that many people take advantage of this so removing the email address is probably no great loss.
Post a Comment