From: Mike Rose <mrose@stsci.edu>
Date: Wed, 21 Feb 1996 09:27:14 +0800
To: cypherpunks@toad.com
Subject: Re: JavaScript to grab email
Message-ID: <9602202009.AA09881@MARIAN.SOGS.STSCI.EDU>
MIME-Version: 1.0
Content-Type: text/plain


>>>>> On Tue, 20 Feb 96 14:40:30 EST, Mike Rose <mrose@stsci.edu> said:

>Changing the email address known to netscape doesn't help.  Your email
>address is in the message sent, regardless of what netscape thinks
>your identity is.

Sorry for the imprecision here.  I was referring to Netscape 2.0 on
unix here.  Changing the email address known to netscape is
insufficient for non-root users on unix systems, because sendmail will
put your real address into the headers.

The auto-responder used by the posted example page apparently isn't
sophisticated enough to extract the real address, but the address is
still in the headers for someone to extract.

For those who haven't read the script, the technique used is as
follows.  A java script sends a mail message to the author of the
script.  The identity of the sender is in the mail headers.  The
script does not look at netscape variables or otherwise get the
information from netscape or the environment.

The major point is that setting a bogus email address in netscape will
not necessarily prevent your email address from being captured in this
manner.

Mike