[I e-mailed the following to Paypal through the Paypal security center before I found these forums and thought this might also interest people here...] While browsing the documentation on adding donation buttons to websites, I noticed something that has recently become a huge problem: The html form code for the button includes a plaintext e-mail address into the html code. What this means: 1) I put such a button on my website 2) someone visits the website and the webpages get stored in their Internet Explorer's web cache 3) the person gets infected by a mass-mailing virus such as "Swen" 4) I get mailbombed with virus e-mails because the virus harvests my e-mail address out of the donation button code in their IE's webcache. :( Since ridding the world of virusses or ridding it of the virus-prone Outlook/Outlook Express is not an option, the only option is to not use plaintext e-mail addresses on webpages. I was hit reasonably hard by the Swen virus because I was stupid enough to put my e-mail address un-munged on a newsgroup's FAQ webpage (downloading 5-10Mbyte of virus-mails per day over dial-up is not fun...) , so I prefer not to get into the same kind of mess if I'd put a Paypal donate button on (a) webpage(s). :( Marco van Loon (who runs Linux and can't get infected by the stupid mailvirusses; just mailbombed by them... :( )

<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">Originally posted by PayPalSteve
[br]There are ways to encrypt or even hide your code, you might want to check out the security options at:
http://iva.tech.nu or
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
Those "obnoxifying" javascripts only work against certain webbrowsers
_and_ only if they've got javscript activated...
They certainly won't work against a virus' "string parser" parsing
a html file...
[qoute]
http://www.pc-help.org/obscure.htm or http://www.dynamicdrive....dynamicindex9/encrypter
[/quote]
Ah, obscuring, often used by spammers to try and circumvent
spamfilters. I'm guessing that many spamfilters already have
uri_unescape functions available and I doubt it will take long
for virus developers to adopt those functions into their virusses
if they haven't already. And then it's just a case of the virus,
instead of only scanning for some@thing, also scanning for some%40thing and some&64;thing to locate e-mail addresses... :(

Doing some Googling, I found losts of links of the type:
https://www.paypal.com/refer/pal/=[13-char-uppercase-alphanumeric-string]
so Paypal apparently has or had a system where some or all users
have/had some kind of userID string.
To me such a userID would seem an excellent idea to put into
the 'business' field of donations HTML forms instead of the e-mail address. No more e-mail address harvesting is possible for
virusses and spammers that way. :)


Marco van Loon

<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">Originally posted by Marco van Loon
[br][I e-mailed the following to Paypal through the Paypal security
center before I found these forums and thought this might also
interest people here...]

While browsing the documentation on adding donation buttons
to websites, I noticed something that has recently become a huge
problem:
The html form code for the button includes a plaintext e-mail address into
the html code.

<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">

You can encrypt the buttons so that there is no plaintext email, rather than using the obfuscation techniques that don't work in all browsers, you can either generate an encrypted button with PayPal's button factory, or use this to generate your own dynamically:
http://www.stellarwebsol...tton_encryption_php.php



Tyler
Stellar Web Solutions - e-Solutions for e-Commerce
Secure Payment, Ordering, Shipping, Electronic Goods Delivery
http://www.stellarwebsolutions.com/

Track PayPal Donations Live http://www.stellarwebsolutions.com/en/products.php