Nov 7, 2011

Does your blog/forum help spammers?

Do you know that your blog or forum may help spammers to gather e-mail addresses of commenters even if you hide their e-mail addresses?

Recently I discovered one interesting blog and made a comment on one post. There was a checkbox to subscribe to updates of comments. I ticked that because I was interested in the topic. When comments started to come to my e-mail, I noticed that they were sent from the e-mail address of people, who commented. E-mails were hidden in the blog but as soon as you subscribe to comments, you get e-mail addresses of all commenters. That would help spammers a lot if the blog uses Gravatar service for user pictures. Gravatar binds e-mail addresses to pictures. Blogs can show pictures of users if the user provided a valid e-mail address. Thus, if the blog is known to use Gravatar, many users will supply a real valid e-mail. Here you get spammers subscribing and catching a lot of valid e-mails. Update/clarification: this is not a problem of Gravatar! This is your blogging software that can send such e-mails. Gravatar only shows pictures and it is not vulnerable at all.


There is another view on this problem: the blog says that e-mail address will not be revealed but, in fact, it reveals the address. So it may have legal privacy implications. I notified blog's owner about the issue.
Conclusion: never use user's e-mail to send anything from the web site.

2 comments:

  1. Put email in reply-to field would be a nice idea, if there were no spammers :( . More secure solution is to include link in letter, which will instant make reply-form to needed comment and prefill user data

    ReplyDelete
  2. Yes its very nice solution to avoid spamming.

    ReplyDelete