Bugtraq mailing list archives
RE: HTML email "bug", of sorts.
From: Ben Yu <byu () skygo com>
Date: Mon, 20 Aug 2001 17:22:03 -0700
This past thread has been following the lines of how the img tag can be used to track a person's usage, or verify the existence of an email address. This is just an issue of privacy. Maybe it's obvious, but I'd like to point it out anyways. There exists more dangerous and malicious use of this hole. It would be possible for a person to send an email via some anonymous remailer to introduce a URL attack to the world. This essentially gets the receiver to execute the attack. Virus writers, like the one of code red, could have used something like this to remove the possibility that it could be traced back. All the ideas of filtering, and the use of different clients are good ideas. But in this real world, many people just use outlook because work requires it (me included). I think that is where a fix needs to implemented. I don't even see having an option to disable downloading of images as a good fix. People want to see the images their friends send. If by default we don't download, yet still leave an option so the user can 'double-click', we're still vulnerable to a bit of social engineering. There just doesn't seem to be a good compromise here. -----Original Message----- From: Alex Prestin [mailto:wakko () bitey net] Sent: Saturday, August 18, 2001 3:17 AM To: bugtraq () securityfocus com Subject: HTML email "bug", of sorts. I'm not sure this is the proper forum for "conspiracy-theory" bugs, but I figured this would be of interest to anyone trying to prevent the names of valid email accounts they either own or administer from being verified and added to "official" known-good spam rosters. You may have heard of "web-bugs" before. Or you may not have. For the benefit of the less-experienced, here's what they are and what they do: "Web bugs" are small, 1x1 (or similar-sized) transparent GIF images which can be used to track the movement of a user around the web. About 1 in 10 sites use them. Their effectiveness at this task is somewhat questionable, but they can be used more effectively for a different task: I've started noticing something very disturbing in the HTML in spam mails recently. I've started seeing web bugs. Below is an example from a recent email: <img src="http://www.megahardcoresex.com/sites/XXXXXXXX0 (continued) 3b/sf03b08152001.gif?M=XXXXXXXXX&ID=wakko () bitey net" width="1" height="1"> See it? A web bug. If I opened this mail in an HTML-capable browser, that little image would've popped up and I would've been none the wiser. My address would also have been verified by the sender, and stored in a large database of valid recipients. So, anyone have any idea of how to deal with this latest little spammer toy? Is there any effective way to filter out web bugs without adversely affecting the delivery intact of legitimate messages? Could software change to at least warn viewers that this HTML viewer is accessing offsite content? Is it worth doing? Anyone? Bueller? - A.P.
Current thread:
- Re: HTML email "bug", of sorts., (continued)
- Re: HTML email "bug", of sorts. Thor (Aug 19)
- RE: HTML email "bug", of sorts. David LeBlanc (Aug 20)
- Re: HTML email "bug", of sorts. james_kelley (Aug 19)
- Re: HTML email "bug", of sorts. Alex Prestin (Aug 19)
- Re[2]: HTML email "bug", of sorts. Walter Hop (Aug 20)
- Re[2]: HTML email "bug", of sorts. Mark Tinberg (Aug 20)
- Re: HTML email "bug", of sorts. Peter W (Aug 21)
- Re[2]: HTML email "bug", of sorts. Walter Hop (Aug 20)
- Re: HTML email "bug", of sorts. Bear Giles (Aug 20)
- Re: HTML email "bug", of sorts. Sean Straw / PSE (Aug 21)
- Re: HTML email "bug", of sorts. Curt Sampson (Aug 21)
- RE: HTML email "bug", of sorts. Ben Yu (Aug 20)
- Re: HTML email "bug", of sorts. Jeffrey W. Dronenburg (Aug 21)