mailto:mailto:mailto:mailto…

 By Shamus Jun 4, 2009 38 comments

The other day when I was writing the post about programming, I wanted to look at the NeHe site and figure out who was the original creator of the thing. (It has multiple contributors now.) I shuffled through the pages, came up empty, and then clicked on the “contact us” link. Suddenly, it was 1998 again:

ie_sucks.jpg

The page uses some ill-behaved javascript to create a mailto: link, and for some reason this invoked Internet Explorer. I’m not sure how that happened. Firefox is my default browser and Thunderbird is my default client. There shouldn’t be any cases or links which can bring up IE. (This was alarming, since I’ve never bothered to upgrade IE and so I’m using the virus-friendly IE6.) I don”t know if it was the fault of the javascript or IE, or some beautiful synergy between the two, but the result was a cascade of 60 IE windows. I haven’t had this happen to me since the olden days of pop-under ads, homepage-poaching, and porn-storms in the late 90′s. Unlike in the olden days, this actually stopped without me needing to reboot the machine.

Still, I haven’t had something like that happen in almost 10 years. Strange. And a little worrisome.

201838 comments. Hurry up and add yours before it becomes passé.


  1. stringycustard says:

    Seems to work fine in Firefox on Mac. But then again not much else works fine in Firefox on a Mac.

  2. It worked correctly for me with Firefox, Outlook and Windows 7.

    This is the actual contact link:

    javascript:bet(“22 404 532 404 1059 614 542 714 404 100 404 974 679 22 404 1052 72 1027 662 175 24 404 396 1052 337 791 404 175 1027 1074 1052 404 549 1023 542 1074 949″,1111,667)

    Seems a little… arcane.

    This is the bet() function: http://nopaste.org/p/a47ZcZbpE

    Possibly some kind of antispam measure?

  3. Simon_Says says:

    Spam Blast from the past!

    I would blame it on bad javascript coding.

  4. Aquatopia says:

    I’m glad I’m not the only person that rocks their Windows taskbar on the side of the screen. Represent!

  5. Lupis42 says:

    It seems like the sort of thing I might do just to see if it could be made to work, but I try to ensure that nothing I do for that reason is ever used for anything more important.

  6. I rock my windows taskbar on the the top of the screen.

    Also, this is weird. I don’t even know if it is possible to launch IE via Javascript running on Firefox. I mean, that would require FF to run some sort of exec function on your system, and last time I checked this is a big no-no in a browser environment.

    I’m betting this happened in-between FF and Thunderbird. The javascript probably produced malformed mailto link which somehow caused Thunderbird to bug out. Still, I can’t figure out how the IE got there.

  7. Phoenix says:

    Ahem, Shamus, shouldn’t you update IE because Win Update is nothing more than a fancy facade for IE? And you probably don’t want that mechanism to be outdated…
    Or am I totally wrong about that?

  8. Shamus: if you’re not keeping your computer up-to-date, you’re basically giving all sorts of obsolete viruses the chance to come play with your computer…

    • Shamus says:

      Punning Pundit: I did do all the other major updates & service pack stuff when I unboxed the machine. I simply skipped the IE6 update because I’d already installed FF and I KNEW upgrading to IE7 would make IE the default browser and a bunch of other little annoyances.

      BUT, now that it’s clearly possible to end up running IE6 when you don’t mean to, I’ll have to do the update anyway.

      grumblegum

  9. Nathon says:

    That’s not just arcane. That’s terrible. The for loop increments its variable in the body, so it’s really science += 2. I don’t know what CharCodeAt(idx) means, but if it’s the same as ord(array[idx]), then that whole loop is pointless given the data beginning with 22.

  10. Carra says:

    From all those popups I assume that Nehe site is a free porn site.

    I’ve been a firefox advocate for years now. Running with noscript and addblock makes me feel safe.

  11. TeddyRoSvelte says:

    Here’s the bet function, with deobfuscated variable names and a few comments. It reads the long string of numbers, converts each one to a character, and generates the mailto string. The real weirdness happens in the say function, which performs the actual conversion from number to ASCII character code using the values for agriculture and air.

  12. Al says:

    I have my taskbar on the left hand side of right hand monitor. Is this particularly odd?

  13. skip 7 and get 8, though i am not sure what it gives you other than a kick-ass developer tool add-on (much better than the ie7 add-on)

  14. Sheer_FALACY says:

    Well, all that javascript just does math, which seems unlikely to open IE, so it’s much more likely that the mailto (which resolves to “mailto:nehe[at]gamedev.net?subject=Website Mail”) is the problem. Since that’s a totally legitimate email address (the [at] being from me because I don’t want to spoil ALL of their hard work to make their code unreadable) it seems likely that something broke on the way to Thunderbird.

    What site was it trying to open in IE? Kinda hard to read the screenshot’s url bar.

  15. RichVR says:

    @ Luke Maciak: So do I. I figure that every other Windows bar is on top, why have the taskbar on the bottom? It’s the first thing I do when troubleshooting someones comp. They just don’t understand.

    @ Shamus: I have the same problem with the COH launcher. Firefox is my default browser but if I click on any button in their launch box I end up with IE6 and usually Google Toolbar asking for internet access to update. Annoying.

    Anybody else get this? And if so, how can I fix it besides just remembering not to click in the launcher?

  16. Nick Rowan says:

    Behold! The readme file from the first NeHe tut ever:
    OpenGL Tutorial #1.

    Project Name: Jeff Molofee’s OpenGL Tutorial

    Project Description: Creating An OpenGL Window

    Authors Name: Jeff Molofee (aka NeHe)

    Authors Web Site: nehe.gamedev.net

    COPYRIGHT AND DISCLAIMER: (c)2000 Jeff Molofee

    If you plan to put this program on your web page or a cdrom of
    any sort, let me know via email, I’m curious to see where
    it ends up :)

    If you use the code for your own projects please give me credit,
    or mention my web site somewhere in your program or it’s docs.

    —————————————————-
    I’ve had these tuts from well.. from 2000.

  17. Scourge says:

    Self calling Windows.. Ahh, the sweet times 4 years ago in school. The sweet memories.

    A simple bat file
    :1
    netsend * Hello World!
    open notepad
    run
    goto 1

    Such wonderful terror you could invoke with such an easy program. No one could close it, nor stop it

    Sort of reminds me of this, just with javascript.

  18. AlfieUK says:

    The javascript multi-function method of obfuscating mailto addresses was briefly popular a couple of years back once URL-encoding was ‘broken’ by harvesting software.

    Each function (it uses 3) just does some math on the character array to generate the right URL-encoded string for the mailto.

    The final mailto link should always call the default e-mail client, so it must be something to do with how your set-up is handling the scripting as to why it launched IE, possibly a script debugger grabbing control.

  19. Vladius says:

    Internet Explorer must have been festering for quite a while, like a “sleeper cell.” Just waiting to be opened by the unsuspecting Shamus.

    It has always sucked in this regard, but in its defense, being the most popular browser has led to it becoming the most exploited.

  20. Chris says:

    With IE6 it’s always 1998.

  21. Tuck says:

    Skip IE7, go straight to IE8.

    It’s:
    a) faster
    b) more secure
    c) smaller download
    d) less obtrusive…it won’t steal your default browser settings
    e) actually displays CSS mostly properly (and has a ‘compatibility mode’ for viewing sites designed for previous versions of IE)

    It’s like Microsoft finally realised that IE was stupidly programmed and decided to fix that!

    Of course I use Opera. :]

  22. antsheaven says:

    That’s TDWTF-worthy, you should send that.

  23. On the subject of Firefox on Windows update, have you all read about the latest Windows update that forced an extension into Firefox? That added one of the worst vulnerabilities from IE into Firefox (allowing a site to stealth install software in certain situations).

    The kicker was that in the initial release, the uninstall button was greyed out in the addon manager and to remove it you had to fiddle about in the registry.

    Coverage: http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html

  24. MintSkittle says:

    @RichVR: Firefox is my default browser also, and I get the same thing with my COH launcher. I know nothing of programming, so I have no idea how to fix it. Maybe the launcher buttons call for IE by default?

  25. Miral says:

    @Blackhat:
    As far as I can tell, that’s just FUD. The .NET Assistant lets you run ClickOnce apps, which are .NET apps that run in a security sandbox similar to Java applets. Much safer than ActiveX controls, and AFAIK it won’t download any given app until you explicitly approve it anyway.

  26. Sheer_FALACY says:

    Well, there’s an option for the addon that says “Prompt before running ClickOnce applications”. Sadly, it’s NOT checked by default.

  27. Eltanin says:

    Are you sure that you need that taskbar on the side of the screen like that? Ugh.

    Sigh. To each his own. It’s not my fault that your doing it wrong. ;)

  28. Christian Groff says:

    Ugh! Sucks to be you. I remember when I clicked on a site link and it created sixty ad pop-ups. What a stupid site.

    Well maybe not, but that would be a stupid thing to happen to me. :(

  29. Chaz says:

    Hmm. Tried the taskbar on the side a few years back, didn’t like it. But that was in the days of 4:3 ratios.

    Now all laptops have gone 16:9, I always feel short-changed for height on all applications. Plus I’m on Windows 7 here, which does a better job of managing multitudinous open applications without swamping the taskbar or making them difficult to access. Seems like my preference may be swinging here…

  30. Miral, regardless of how vulnerable it makes Firefox, if at all; they installed something into a 3rd party application and then disabled the ability to remove it.

  31. Neal White says:

    In IE. Hit
    Tools
    internet options
    Programs
    Select the Thunderbird for mail program.

    That should stop various sites from trying to launch Outlook Express from a mailto: call.

  32. Korivak says:

    When I was still using Windows as my primary OS, I always had the Taskbar on the left hand side. Now that I’m running OS X, my Dock is on the left. It really is better that way, especially on a 13.3 inch widescreen laptop monitor, where you need the space on the bottom so much more than a bit of space on the sides.

  33. Eltanin says:

    Alright, I’ll come down off my high horse (which is made of nothing but jokes anyway) to express my curiosity. What do you want with the extra vertical real estate if you have the taskbar on the side? I admit to being curious as to the rationale.

    I have it on the bottom because that’s what Microsoft suggests and I’m a good boy.

  34. AFAB says:

    Maybe it’s just Karma.
    It DID worry you a bit, eh Shamus?

  35. James says:

    A vertical start menu would be good, if only the Start button rotated itself to fit.

    I could never get on with the NeHe stuff, its obsession with commenting every single line of code by only saying what that line did, rather than /why/ it was there got distracting.

  36. Fnord says:

    Hey Blackhat, look how wrong you are.
    http://www.theregister.co.uk/2009/06/01/ms_firefox_extension_row/
    http://support.microsoft.com/?kbid=963707

    Microsoft didn’t prevent you from uninstalling it. That was down to Firefox.

Leave a Reply

Comments are moderated and may not be posted immediately. Required fields are marked *

*
*

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun.

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!