[Full-Disclosure] Simple but Effective Spam Harvester Solutions

• Previous message: Alen Capalik: "Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Fri, 8 Oct 2004 23:09:13 +0100

Not entirely sure if this is appropriate for full-disclosure. Ah Well.

As you may well know there are programs that scour the internet
looking for email addresses, some people attempt to thwart them
writing emails like "my_email (AT) mydomain (DOT) com". These don't
really work, so i figured some of my own out. They appear to have been
successful, i will share them with you now.

Using HTML Escape characters is a popular method, eg:

 <a href="mailto&#58;escchar&#64;shiz&#46;biz">contact me</a>
This works quite well but is easy to defeat (more on HTML escape
chars: http://www.theukwebdesigncompany.com/articles/entity-escape-characters.php)

I then started toying with JavaScript, this worked great. Here are
some examples:

<script>
document.write('<a href="mailto:js1');
document.write('@shiz.biz');
document.write('">contact me</a>');
</script>

<script>
var a="@shiz.biz"
document.write('<a href=mailto:');
var b="js2"
document.write(b);
document.write(a);
</script>
>contact me</a>

<script language="Javascript" src="a.htm"></script>
<script language="Javascript" src="b.htm"></script>
<script>
document.write("<a href=mailto:");
document.write(a+b);
</script>>contact me</a>

Also, worked pretty well. As it gets more complicated it's far harder to defeat.
Then i found PHP could be used, creating a file called 'mail.php' and entering:

<?php
header("Location: mailto:form2@shiz.biz")
?>

into it, meant that linking to mail.php would launch an email.

Anyways, more info can be found here: http://www.wheresthebeef.co.uk/?p=hat

I hope some people have found this useful.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Alen Capalik: "Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [Full-Disclosure] Web interface for full-disclosure and others ... you can use following to get feed for full-disclosure and bugtraq on ... <script src="http://www.securitytrap.com/list_display.js "> ... var bugtraq_max = '10'; ... (Full-Disclosure) Re: Cant get form action to execute with onsubmit ... The js validation script sends alerts when fields are not entered ... IE6 asking if I want to download or run the php script. ... tell me why the php script is not executing? ... var b = 0; ... (comp.lang.javascript) Re: Execute code in global scope ... global $var; ... echo $var; ... In this case the php engine will parse something like this: ... outside functions or directly into the main script. ... (comp.lang.php) Re: Determining form field names ... | I can programmatically, via php, on submit get to all the posted fields ... it would really like to do the next step via ajax so the user can ... Assuming that you have a method of calling the script you can use ... var nm = obj.name; ... (comp.lang.javascript) Re: [Full-disclosure] Arin.net XSS ... It works in IE just fine and probably some other browsers. ... This prevents the script from being interpreted properly via the Address bar. ... Subject: [Full-disclosure] Arin.net XSS ... I think that XSS in many instances is a serious issues. ... (Full-Disclosure)