McAfee SiteAdvisor Blog

This Week’s Lesson: Use Caution with Guestbooks

We wanted to share (with permission) some feedback we recently received from Brian Tiemann, the owner and webmaster of lionking.org (SiteAdvisor Analysis: LionKing.org), an unofficial fan site not associated with Disney. This tale starts a little scary, but it has a happy ending.

Lionking.org is a classic example of the Web’s promise: collecting and sharing information about a common interest, and building a community of like-minded surfers. This is the place to debate who rocks more: Simba or Timon?... or to submit your own Lion King art for others to see. The site boasts 200,000 pieces of user-submitted art already. What could be safer than this?

When Brian first e-mailed us, he was irritated. We had rated lionking.org red because we received, on average, 15 spammy e-mails per week after our bots signed up there with a unique e-mail address. Brian knew he wasn’t a spammer, so he was perplexed.

We began receiving 15 spammy e-mails per week after we signed up.

"I would like to know where on my site you entered your e-mail address or signed up. The only place I can think you might mean is the guest book, and the only required field on that is the name," Brian wrote.

There’s the rub. We had signed the guest book, and we entered an e-mail address in the e-mail field. (Brian is right -- it wasn’t required, but it wasn’t discouraged either.) Then that e-mail was posted in full glory on the Web. It didn’t take long for spammers to visit the site’s guest book and screen scrape our address.

That’s when the deluge began:

A sample from our in-box, after we signed lionking.org’s guest book.

Pharmaceutical discounts and Thai Ladies were among the classy e-mails we received. We also saw some classic phishing e-mails purporting to be from eBay and PayPal.

As you might expect for this genre of site, a fair number of guest book comments come from kids. Here’s a typical guest book comment from 12-year-old Katharina from Norway:

I am a 12 years old girl from Norwegian who likes The lion king very much... I go on theatre and there we play "The lion king". I am a fan and The lion king is the most funny thing(theatre) =D And i like it so much...

The original posting included Katharina’s full name and e-mail address. In another posting, a 13-year-old posted a complete street address, open for all for the world to see. Plus, we couldn’t find any kind of privacy policy on the site. That’s scary.

Lionking.org's guest book contained 10 years worth of monthly entries -- about 6,000 e-mail addresses for spammers to steal. That’s enough to be worth their while.

But our story takes a turn for the better. We responded to Brian’s e-mail, and we pointed out these issues. Brian couldn’t have been more cooperative in fixing the problem. Within two hours of receiving our reply, Brian had masked all 10 years’ worth of e-mail addresses, and he changed his guest book form to discourage posting of e-mail or physical addresses. Brian also added a privacy notice in the guest book area.

Lionking.org's guest book now discourages users from leaving full street addresses,
and requires explicit opt-in before posting e-mail addresses.

Given Brian’s cooperation and his prompt change, we’ve modified our rating of his site from red to yellow. Our bots will continue to perform periodic random tests on his site, just like they do with every other site. When we’ve verified that e-mail addresses submitted to lionking.org don’t get too much e-mail, or e-mail with high SpamAssassin scores, the rating will change to green.

Now, some might argue that posting e-mails in the guest book was bad practice to begin with, and they'd be right. But you might want to give Brian at least a little bit of a break -- he says he coded the site himself 10 years ago in the Web’s infancy, when he was in college. The site grew organically since then -- he says it’s just a side hobby. So even as he added some whiz-bang features in other areas of the site, Brian just didn’t update the guest book’s functionality to keep up with the new threat of economically-motivated spammers. Live and learn.

There are a few lessons here for all of us:

1) For ordinary Internet users: Take caution with guest books and user review areas which request an e-mail address. Check the existing postings to be sure that e-mail addresses are not publicly posted. Spammers love these areas.

2) For Web site owners and developers: You are the first line of defense for protecting user data. The default posting of e-mail addresses, particularly of minors, is very bad practice and could cause all kinds of problems. If e-mail addresses must be posted, always require an explicit opt-in. Consider “Address Munging" to help prevent address harvesting by spammers.

3) For all of us: Working together, we can continue to make the Web safer by quickly fixing problems as they are uncovered. Brian Tiemann and his lionking.org site are a great example.