Thread: Potential Spam Loop Hole

Potential Spam Loop Hole

Doing some testing tonight on my ClassiPress site I see a potential hole that spammers can use to contact sellers. If you view source on a listing page, you can clearly see the persons email address. A spam bot can read the source, grab the email address and off it goes.

We need a contact form for the sellers that maybe pulls the email address from the database since it's already stored from the registration and not actually have it present on the form.

I tested this while logged in and logged out with the same result. Not sure if this is a bug or if it's been reported before. I didn't see anything in the forum, so I started this thread.

Thoughts?

Re: Potential Spam Loop Hole

Oh yeah it does too...thanks for pointing it out...

Re: Potential Spam Loop Hole

Good find. That should definitely be fixed.

Especially since the submit ad form reads "Email (will not be displayed)"

That gives a false sense of security.

A fix would need to pull the email from each ad, because that email can be different than the email a user registers with.

Re: Potential Spam Loop Hole

From what I can tell, for each ad listing, it pulls the email address of the registered users account. I wasn't aware that a user could change the email address on a per listing basis.

Indeed I hope this gets fixed pretty quickly and should be a top priority as you mentioned.

Re: Potential Spam Loop Hole

I think I see what's happening.

When you are logged in and view source code (from any page I believe) you can see your own email that you registered with at:

When viewing the source code of an ad listing, and being logged in, you see that part above... and you will also see this:

When viewing the source code of an ad page, while not being logged in, you still can see the emailenteredinadlisting@hotmailm3gd0374hcom but you don't see your own email that you registered with.

------------------------------------

When entering details in the form to list an ad, the registrants email is automatically filled into the email field, but she can change it if desiring to receive responses at a different email address.

It appears the "exampleemailenteredinadlisting" is very weakly encrypted. See for yourself.

Re: Potential Spam Loop Hole

The only thing sort of being encrypted is the dot com at the end of an email address. This takes a spam bot about 2 seconds to figure out. Using unicode or some other method to mixup an en email address is super weak as you mentioned.

It would still be good to not even display the email address in the source, but have it pulled like the WordPress contact form plugin.

Re: Potential Spam Loop Hole

Agreed. Yes, it's something that will get fixed. I wouldn't say spam bots can figure it out in 2 seconds though....

The email address should not even be visible in the code and that's how I plan on changing it.

Re: Potential Spam Loop Hole

I ran a little test on my site and sure enough I was able to run a script bot to figure it out pretty quickly... maybe not 2 seconds but pretty quickly.

Awesome. Good to hear. Thanks for chiming in on the thread.

Re: Potential Spam Loop Hole

Good to hear that David.
"An e-mailaddress shouldn't be visible in the code/source code".
The only way people should be able to contact an ad owner is via the contactform in the sidebar.
Hope this will get fixed ASAP.

Re: Potential Spam Loop Hole

Any updates on this David??